Gigaset Android smartphones infected with malware after supply chain attack

A new supply chain attack made the headlines, threat actors compromised at least one update server of smartphone maker Gigaset to deliver malware.

The German device maker Gigaset was the victim of supply chain attack, threat actors compromised at least one server of the company to deliver malware.

Gigaset AG, formerly known as Siemens Home and Office Communication Devices, is a multinational corporation based Germany. The company is most active in the area of communications technology. Gigaset manufactures DECT telephones. In 2018, it had 888 employees, revenue of 280 million Euro and sales activities in approximately 70 countries.

The supply chain attack took place around April 1, 2021, the malware was delivered to the Android devices of the German vendor. According to the blog BornCity, multiple users have been reporting malware infections, their devices were infected with adware designed to display unwanted and invasive ads. Many Android users reported the infections on the Google support forums

The German website heise.de published a list of the unwanted apps (or package names) and services that have been installed on the devices of the users. The following list is not complete and other apps could be present of the impacted devices:

• easenf
• com.wagd.smarter ( analysis by VirusTotal )
• com.wagd.xiaoan ( analysis by VirusTotal )
• according to
• smart
• AppSettings
• Tayase
• com.yhn4621.ujm0317
• BBQ browser

Below the list of potential consequences of the infections reported by BornCity:

• Browser windows suddenly open with advertisements or redirect to gambling sites
• WhatsApp accounts are blocked (due to critical activities)
• Facebook accounts may be taken over completely
• SMS messages may be sent automatically
• The device goes into “do not disturb” mode
• The battery is drained quickly
• The smartphone becomes slow

“Initial indications from affected users suggest that data may also have been deducted from the smartphones. I had reported extensively on this issue in the blog post German Gigaset Android Update Server probably delivers malware (more posts are only available within my German blog).” states BornCity website.

One of the most disturbing symptoms reported by the Gigaset users is the sending WhatsApp and SMS messages, in some cases WhatApp suspended the accounts for suspicious activity.

Gigaset confirmed the supply chain attack and revealed that only users who received firmware updates from one the compromised server were impacted. The vendor is already working “on a short-term solution for the affected users.”

“During routine control analyses, we noticed that some older smartphones had malware issues. This finding was also confirmed by inquiries from individual customers. We take the issue very seriously and are working intensively on a short-term solution for the affected users.

In doing so, we are working closely with IT forensic experts and the relevant authorities. We will inform the affected users as quickly as possible and provide information on how to resolve the problem.

We expect to be able to provide further information and a solution within 48 hours.

It is also important to mention at this point that, according to current knowledge, the incident only affects older devices.

We currently assume that the GS110, GS185, GS190, GS195, GS195LS, GS280, GS290, GX290, GX290 plus, GX290 PRO, GS3 and GS4 devices are not affected.” said a Gigaset spokesperson.

Stay Tuned!

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Gigaset)

[adrotate banner=”5″]

[adrotate banner=”13″]